Disclose or Exploit? A Game-Theoretic Approach to Strategic Decision Making in Cyber-Warfare

Today, countries are engaged in the cyber-arms race. With over 16 K new hardware/software vulnerabilities reported in 2018 alone, an important question confronts senior government decision makers when their cyber-warfare units discover a new vulnerability. Should they disclose the vulnerability to the vendor who produced the vulnerable product? Or should they “stockpile” the vulnerability, holding it for developing exploits (i.e., cyber-weapons) that can be targeted at an adversary? Choosing the first option may be important when the affected company is a corporation in the nation state that discovers the vulnerability and/or if that nation state would have a big exposure to that vulnerability. Choosing the second option has obvious advantages to the discovering nation's defense. We formulate the cyber-competition between countries as a repeated cyber-warfare game (RCWG), where two countries (players) compete over a series of vulnerabilities by deciding, at the time of vulnerability discovery, 1) whether to exploit or disclose it and 2) how long to exploit it if they decide to exploit. We define the equilibrium state of the RCWG as a pure strategy Nash equilibrium, and propose a learning-while-competing framework to compute the pure strategy Nash equilibrium of the formulated RCWG. Although testing our results with real data in the murky world of cyber-warfare is challenging, we were able to obtain real statistics from other sources and demonstrate the effectiveness of our proposed algorithm through a set of simulation results under different scenarios using these third-party statistics. We also report on our DiscX system that can help support government decision makers in their decision whether to disclose or exploit a vulnerability that they find.

[1]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[2]  Karthik N. Kannan,et al.  An Economic Analysis of Market for Software Vulnerabilities , 2004 .

[3]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[4]  Lillian Ablon,et al.  Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits , 2017 .

[5]  David J. Pym,et al.  The U.S. Vulnerabilities Equities Process: An Economic Perspective , 2017, GameSec.

[6]  Chaim Fershtman,et al.  Network Security: Vulnerabilities and Disclosure Policy , 2007, WEIS.

[7]  Brian W. Cashell The Economic Impact of Cyber-Attacks , 2004 .

[8]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[9]  L. Demause,et al.  Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power , 2013 .

[10]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[11]  Stephanie Forrest,et al.  Strategic aspects of cyberattack, attribution, and blame , 2017, Proceedings of the National Academy of Sciences.

[12]  Paul A. Watters,et al.  A methodology for estimating the tangible cost of data breaches , 2014, J. Inf. Secur. Appl..

[13]  Quanyan Zhu,et al.  Analysis and Computation of Adaptive Defense Strategies Against Advanced Persistent Threats for Cyber-Physical Systems , 2018, GameSec.

[14]  Sushil Jajodia,et al.  Pareto-Optimal Adversarial Defense of Enterprise Systems , 2015, TSEC.

[15]  D. Kushner,et al.  The real story of stuxnet , 2013, IEEE Spectrum.

[16]  Bernhard Plattner,et al.  An economic damage model for large-scale Internet attacks , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[17]  Ravishankar K. Iyer,et al.  Game Theory with Learning for Cyber Security Monitoring , 2016, 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE).

[18]  Phongphun Kijsanayothin,et al.  Cyber-security analysis of smart grid SCADA systems with game models , 2014, CISR '14.

[19]  Stefan Frei,et al.  Security econometrics: The dynamics of (in)security , 2009 .